Most board directors still treat cybersecurity as something they oversee: a dashboard, a quarterly report, a briefing from the CISO. That framing is now incomplete.

Directors are not just governing cyber risk. They are increasingly part of the attack surface itself, in an environment where AI has dramatically lowered the cost, speed, and precision of attacks, the gap between what directors assume about their own exposure and what adversaries already understand is rapidly widening.

The Director as Target

Board directors carry something more valuable than access credentials; they carry authority, context, and relationships. A successful attack on a director doesn't just compromise a device; it can compromise a deal, a board vote, a regulatory filing, or an acquisition conversation that hasn't been announced yet.

Threat actors know this. Spear phishing campaigns, what those in the security community call "whaling" when they target senior leaders, now routinely target directors by name, using scraped biographical data, board committee assignments pulled from proxy statements, and publicly disclosed governance activities. Spear phishing accounts for less than 0.1% of all emails sent, but 66% of all data breaches. AI has made this dramatically cheaper and more precise. A well-crafted impersonation email drawing on your LinkedIn profile, your company's recent filings, and your committee role no longer requires a sophisticated state actor, just a prompt. Source: Spacelift

EXAMPLE 1: The $33 Billion, 10-Minute Attack

In September 2023, the Scattered Spider threat group compromised MGM Resorts, a $33.9 B company, through a ten-minute phone call. All they did was search LinkedIn for an employee's name, then call the IT help desk and impersonate that person. Using information collected from the employee's LinkedIn profile, attackers convinced the help desk to reset multi-factor authentication and gain access to MGM's Okta and Azure environments. The resulting ransomware attack disrupted operations across more than 30 properties for nearly a week. There was no zero-day exploit, no sophisticated malware, just publicly available information and a convincing phone call.

Directors are even more visible, and that can make them greater targets as they are named in proxy statements, governance filings, and press releases. The same playbook applies to them. Source: Cyber SecurityHub

AI Expanded the Attack Surface in Ways the Board Hasn't Mapped

AI tools have been deployed across most organizations faster than governance frameworks can absorb them. That speed created significant gaps, and directors sit at the intersection of several simultaneously.

The enterprise productivity tools most organizations rely on have become vectors. Board materials, the very documents directors use to prepare for meetings, increasingly flow through platforms with AI features embedded. What happens when those tools are weaponized?

The risk is no longer just user behavior; it is also system behavior.

Example 2: EchoLeak and the Invisible Breach

In June 2025, researchers disclosed EchoLeak (CVE-2025-32711), a zero-click vulnerability in Microsoft 365 Copilot that allowed a remote attacker to steal confidential data by sending a single crafted email, with no user interaction required. The exploit took advantage of how Copilot processes embedded instructions within Word documents, PowerPoint slides, and Outlook emails. By combining prompt injection with prompt reflection, attackers could trick Copilot into leaking confidential data without the user doing anything beyond opening a file. Microsoft patched the vulnerability, but the underlying architecture that incorporates AI systems that bridge internal and external data remains. A board chair who opens a "Q3 Strategy Update" deck and asks their AI assistant to summarize it may have no idea what else that document just instructed the system to do. Source: arXivHack The Box

Consider the implications: if a director uses an AI-assisted productivity suite to review board materials, and those materials are weaponized to silently exfiltrate content, the most privileged documents in the organization, such as M&A targets, audit findings, and compensation discussions, become reachable without a single login credential being stolen.

Then there's the director's own digital footprint, including personal email accounts, consumer AI tools, and devices used for both board work and personal life. By early 2026, AI-assisted content accounted for more than 82% of phishing campaigns, which means the volume, personalization, and polish of attacks targeting individuals like directors have scaled dramatically. The same director who approves the company's data governance policy may be accessing board portals on an unmanaged personal device. Source: Astra Security

The Oversight Gap That Makes You Liable

This is now a fiduciary issue, not just a security one, because the standards established in the Caremark case are evolving.

Caremark liability - the standard that holds directors personally accountable for failing to implement oversight systems and act on red flags is being actively applied to cybersecurity failures. Courts and regulators are not just asking whether the company had controls, but whether the board understood the risk landscape well enough to oversee it meaningfully.

Example 3: SolarWinds and the Cost of What the Board Didn't Know

In October 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures, alleging that the company overstated its cybersecurity practices and failed to disclose known risks from its 2018 IPO through the 2020 Sunburst attack. Separately, a group of investors sued the SolarWinds Board of Directors in Delaware state court, alleging breach of fiduciary duties for failure to oversee cybersecurity risks. The case ultimately underscored a stark principle: directors are not protected simply because they delegated cyber oversight to management. The question regulators and plaintiffs are asking is whether the board had the information, the systems, and the will to act. That standard is only getting stricter as AI introduces new failure modes that existing oversight frameworks haven't caught up to. Source: Cybersecurity DiveWhite & Case LLP

Delegation is not a defense

If directors are themselves a known vulnerability in the threat landscape, which they are, and the board has taken no action to understand or address that exposure, the oversight failure runs in both directions. Your D&O policy may not protect you the way you think it does. AI-related incidents are triggering new exclusions and underwriting requirements that most renewal conversations haven't surfaced. Consider the case if the underwriting application represented controls that don't exist in practice; coverage denial becomes a real outcome.

What Strong Governance Looks Like Here

Directors need to expand the scope of governance to include the board itself, and to stop assuming they're outside the threat model.

Strong governance in this environment means the board asks whether its own communications, devices, and digital behaviors are subject to the same scrutiny applied to management. It means director onboarding includes a substantive cyber briefing (not a checkbox) on how directors are specifically targeted and why. It means the CISO reports to the board not just on enterprise risk but on board-level exposure explicitly, and it means the AI tools in use across the organization,  including those touching board materials, have been security-reviewed with the same rigor applied to the network perimeter.

Who is responsible for protecting the board itself? And what have they actually done?

Questions Directors Should Ask Management

• Has our threat model been updated to include board directors as a specific attack surface and what controls exist to address that exposure?

• What AI tools have access to board materials, communications, or governance systems  and have those tools been formally security-reviewed?

• When did we last conduct a spear phishing simulation that targeted directors specifically, not just employees?

• Does our D&O policy explicitly address cyber incidents in which a director's personal device, account, or conduct was a contributing factor, and has our insurer reviewed our AI tool usage since the last underwriting cycle?

• What is the escalation path if a director believes their personal communications or devices have been compromised?

Questions Directors Should Ask Themselves

• Do I use personal email, personal devices, or consumer AI tools to access board materials, and do I know what our governance policy says about that?

• Have I been briefed specifically on how directors are targeted, not just on the company's general cyber posture?

• Would I recognize a sophisticated, personalized spear phishing attempt built from my own public profile?

• Do I know which AI tools I'm using that interact with confidential board information, and have I reviewed how those tools handle that data?

• If I were the weakest link in this organization's security posture right now, would anyone tell me?